yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85038
[Bug 1454087] Re: Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289)
** Changed in: glance
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1454087
Title:
Image data stays in store if image is deleted after creating image
using import task (CVE-2015-3289)
Status in Glance:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Image data stays in store if image is deleted after creating image
using import task
Trying to delete image created using task api (import-from) image gets
deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-
Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress'
-H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e'
-d '{"type": "import", "input": {"import_from":
"http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso";,
"import_from_format": "raw", "image_properties": {"disk_format":
"raw", "container_format": "bare", "name": "task_image"}}}'
http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the
backend.
Note:
This issue is fixed in master by this patch https://review.openstack.org/#/c/181345/4
This issue will be resolved by back-porting above patch to stable/kilo.
Affected branches: stable/kilo
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1454087/+subscriptions
